From ... Path: supernews.google.com!sn-xit-02!supernews.com!isdnet!newsfeeds.belnet.be!news.belnet.be!news.tele.dk!129.240.148.23!uio.no!Norway.EU.net!127.0.0.1!nobody From: Erik Naggum Newsgroups: comp.lang.lisp Subject: Re: Using READ as an internet firewall [was Re: What case problem ...] Date: 20 Nov 2000 03:32:25 +0000 Organization: Naggum Software; vox: +47 800 35477; gsm: +47 93 256 360; fax: +47 93 270 868; http://naggum.no; http://naggum.net Lines: 46 Message-ID: <3183679945164742@naggum.net> References: <86r9478zq3.fsf@animal.interhack.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: oslo-nntp.eunet.no 974704621 28967 195.0.192.66 (20 Nov 2000 07:17:01 GMT) X-Complaints-To: newsmaster@eunet.no NNTP-Posting-Date: 20 Nov 2000 07:17:01 GMT mail-copies-to: never User-Agent: Gnus/5.0803 (Gnus v5.8.3) Emacs/20.7 Xref: supernews.google.com comp.lang.lisp:4018 * Matt Curtin | The problem with this, of course, is that "filtering out bad stuff" | violates the principle of Least Privilege, i.e., instead of | disallowing the things that you don't want, it should allow nothing by | default and allow only the things that you do want and whose affect on | the system you've already analyzed. But this is actually pretty easy to accomplish. Just bind *readtable* to a copy of the standard readtable and go modify it to your heart's content -- you now have full control over everything the reader does. I would suggest you make # a constituent character unless you _really_ need dispatching while reading your data. | Using more capable (and safer) tools doesn't eliminate our need to | move with care or to adhere to good security design principles; they | merely help us avoid stupid implementation mistakes. I agree, except I think "merely" is an understatement. | Footnotes: | [1] Assuming that the implementation itself isn't subject to the | problem, of course, which might be quite a lot to assume if you | can't see and audit the implementation yourself. Not really. (1) You have to be extraordinarily clever to get a C/C++ implementation exactly right, because the designs of those languages make it hard to implement anything intelligently and safely -- you have to think in another language, such as Lisp, to think of all the things you have to take care of. Take a look at the string class in C++, just how much _more_ it does than the old char*. (2) If you use features in the language that are used for many other things, too, you get community debugging experience for free. This is very much unlike the kinds of things people do in C/C++, where safety and security are _not_ the norm, and in many cases, morons with one keyboard too many think they may sacrifice some efficiency if they don't write their own code, which will never be exposed to community debugging experiences. Having a data reader _in_ the language that the whole system depends on for its proper operation means you would find bugs so much sooner. #:Erik -- ALGORITHM: a procedure for solving a mathematical problem in a finite number of steps that frequently involves repetition of an operation. ALGOREISM: a procedure for solving an electoral problem in a finite number of steps that frequently involves repetition of an operation.